Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Mitigating common security vulnerabilities

Updated on March 15, 2022

Configure policies on the Security Policies landing page, as well as content security policies (CSP) and additional security restrictions to ensure that your system is as secure as possible against cross-site request forgery (CSRF) attacks, cross-origin resource sharing (CORS) attacks, and other types of vulnerabilities.

According to the Open Web Application Security Project's (OWASP) official site, the OWASP Top 10 is a standard awareness document for developers and web application security specialists. The list represents a broad consensus about the most critical security risks to web applications.

Pegasystems uses the 2021 OWASP Top 10 Web Application Security Risks as a means of focusing on the most effective steps towards producing more secure code and applications. The OWASP Top 10 ranks the following security risks for web applications according to the frequency of discovered security defects, the severity of uncovered vulnerabilities, and magnitude of their potential impact. The following list describes the tools that you can use in Pega Platform to address these risks.

Broken access control
Pega Platform restricts what authenticated users can do and enforces the policies that surround user access. For more information, see Using Access Control Checks.
Cryptographic failures
Pega Platform aids in proper configuration that prevents cryptographic failures and protects sensitive data. For more information, see:
Injection
Pega Platform prevents unintended commands from running or users from accessing data without proper authorization. For more information, see:
Insecure design
Insecure design represents various risks that are related to design flaws, beginning from the planning phase before the actual implementation. Insecure design differs from an insecure implementation, and a near-perfect implementation cannot prevent defects that result from insecure design. One of the factors that contributes to these design flaws is the failure to build security into an application early in the design process through threat modeling and secure design patterns and principles.
Security misconfiguration
To avoid the most common security issue, Pega Platform applications require secure configuration and timely updates and patches. Older or incorrectly configured XML processors evaluate external entity references within XML documents. Pega Platform code follows leading practices, in which XML parsing prevents XML external entity (XXE) injection. As part of the security development life cycle (SDLC), Pega Platform has code scanners that check new or modified code and merges it into the repository. Through this process, bad code is blocked from the repository and you must address any vulnerabilities before completing the merge. For more information, see:
Vulnerable and outdated components
Applications and APIs that use components with known vulnerabilities might undermine application defenses and enable various attacks. This issue has several layers. The most effective ways to combat components with known vulnerabilities include:
  • Verifying that the pieces of your applications are the most secure versions available, with all updates and patches.
  • Verifying your applications with all external services, Pega Platform, and computer operating systems.
Pega Platform uses third-party components that also require security. Scanners run in the background to analyze libraries that the product uses, check whether those libraries are at risk, and then report the security status.
Identification and authentication failures
Pega Platform can prevent incorrect implementation of authentication and session management. For more information, see:
Software and data integrity failures
Software and data integrity failures occur when code or infrastructure does not properly protect against integrity violations, such as using plugins from untrusted sources. Pega Platformprovides tools for proper deserialization, which prevents remote code from running. For more information, see Configuring the deserialization filter.
Security logging and monitoring failures
Pega Platform provides sufficient logging, monitoring, and effective incident response. For more information, see:
Server-side request forgery (SSRF)
SSRF is a web security vulnerability that an attacker can exploit to coerce a server-side application to make requests to an unintended location.
Cross-site request forgery (CSRF)
While no longer part of the OWASP Top 10, CSRF refers to an attack that forces an end user to complete unwanted actions on a web application in which they are currently authenticated. Pega Platform continues to protect applications against CSRF. For more information, see Understanding cross-site request forgery.

Learn more about the different techniques for mitigating common security vulnerabilities in the following topics:

  • Using Access Control Checks

    Use access control checks to identify broken custom code that must be fixed. During development, it is easy to introduce risks into your application by implementing custom code. By using access control checks, you help proactively fix your code by identifying potential issues.

  • Compliance with regulatory standards

    Regulatory compliance ensures that organizations are aware of and comply with relevant laws, policies, and regulations. Regulatory compliance is when a business follows international and local laws and regulations that are relevant to its operations.

  • Configuring the Java injection check

    At design time and at run time, Pega Platform checks activities, functions, and stream rules for particular Java injection vulnerabilities.

  • Implementing security guidelines for custom HTML

    The Rule Security Analyzer can find specific JavaScript or SQL coding patterns that might indicate a security vulnerability. The most effective way to search for vulnerabilities is to run the Rule Security Analyzer several times, each time matching against a different regular expression rule. If the Rule Security Analyzer finds problems, you can fix them to make your system more secure.

  • Understanding cross-site scripting

    Cross-site scripting is a client-side code injection attack, in which an attacker can run malicious scripts on a legitimate website or web application.

  • Using HTTP response headers

    To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.

  • Defining cross-origin resource sharing policies

    Cross-origin resource sharing (CORS) policies define a method that enables a browser and server to interact and determine whether it is safe to allow a cross-origin request. For example, a client using a Pega Marketing application running in a browser, may see advertisements from third-parties, and if they click one of these advertisements, the CORS policy will record that the advertisement was viewed or clicked on.

  • Configuring the deserialization filter

    In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. You can add classes to the global deserialization filter to increase the security of your application by preventing unauthorized access.

  • Understanding cross-site request forgery

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us